Conficker vulnerability still high with many users not applying patches

Sophos is warning PC users to ensure they patch against Conficker after discovering that high levels of vulnerability still exist

IT security and control firm Sophos is reminding computer users of the importance of ensuring their PCs are up to date with the latest security patches following research that shows many PCs are still not patched against Conficker.

The data comes from Sophos's Endpoint Assessment Test, a free tool that scans a computer and assesses whether it is a security risk to your organisation. A single scan checks that your Microsoft service pack is the current one for your operating system, your Microsoft patches are all up to date, anti-virus protection is installed, running and current, and that a personal firewall is installed and running.

After examining the results for all users who took the test since January 1st this year, Sophos found that 11 percent still did not have the Microsoft MS08-067 patch installed which can, amongst other things, help protect against the spread of Conficker. Sophos experts note that worryingly the situation does not appear to have improved despite recent publicity regarding Conficker - when looking at the figures just for March, 10 percent were still missing the essential patch.

'We would have hoped that computer users would have woken up to the threats and installed this patch,' said Graham Cluley, senior technology consultant at Sophos. 'Not only has the patch been available since last October, there's also been so many reports on the potential consequences of failing to patch. This is pretty depressing news. Of course, we can't extrapolate this to mean that 10 percent of all PCs around the world aren't running the Microsoft patch, but it certainly tells a sorry story for a notable percentage of those who took our test. It appears that the percentage of computers not patched against the exploit used by Conficker is holding steady.'

Sophos recommends that all organisations take control of their IT security with better patch vulnerability assessment/remediation, alongside Network Access Control (NAC).